Microsoft Web Sites Expose User Information

Microsoft has had another close call with Web site security—this time on two virtual servers that the company had used earlier this year to conduct sweepstakes. Back in September, Microsoft offered its bCentral partners the opportunity to win Web tools by entering a sweepstakes. In October, MSN ran a sweepstakes offering the chance to win a trip for two to Las Vegas as part of Microsoft's "Meet Windows Me" campaign. The bCentral contest ended in October, while the MSN contest ended in November, and the sites were subsequently updated to reflect that status.

However, over this past weekend, Erik Schroeder found more than he expected when he surfed the Web to look for the Las Vegas sweepstakes Web site. When he entered the site's URL (http://www.meetmesweeps.com), instead of viewing the anticipated home page, he found an administrative interface that Microsoft apparently had designed to view the information that sweepstakes entrants had submitted for both contests. After clicking the Web interface, Erik soon realized he could download the entire database of entrants from both contests. In addition, the interface had links to view various Web server statistics from a MediaHouse statistics server.

After learning of the apparent security lapse, Erik contacted us at [email protected] on Sunday afternoon and asked us to take a look. After reading Erik's email message, I was more than surprised at his findings, especially because Microsoft had suffered a few Web site compromises recently. When I entered the URL for the site, I didn't see the administrative interface. Instead, I saw the expected Web page explaining that the sweepstakes had ended. I contacted Erik with my findings, and we agreed that someone had made changes to the server to correct the security oversight. I put the matter out of my mind for the rest of the day.

On Monday morning, I had another surprise in my inbox—Erik had checked the Web site again. The administrative interface was back online, and Erik had sent some screenshots to show what it looked like. After looking at the screens, I opened the Web site in my browser and sure enough, there was the administrative interface for the bCentral and Las Vegas sweepstakes sites, as Figure 1 shows.

After clicking the administrative interface link for the Vegas contest, I saw a page that detailed the number of contest entrants for each week of the sweepstakes. The interface, as Figure 2 shows, had links to download email addresses and contact information, as well as other data. Take note that I intentionally obscured the screenshot to protect the actual figures.

Although I didn't view or download any contest entrant data, Erik said the database contains more than 50,000 names and related contact information. When I asked Erik if the information seemed real or more like test data, Erik said a quick cross reference of a couple of names against Yahoo's search engine verified that the database contained information about real people.

Erik contacted Microsoft about his findings using a Web-based feedback form on the company's
site, while we sent email to Microsoft's corporate security group ([email protected]) alerting them to the situation. Shortly thereafter, we found the site was secured. However, it remains unknown how long the site was exposed and how many people downloaded the two contest databases.

With a little more investigating, I found that the domain name meetmesweeps.com is not registered by Microsoft but by Communicator|e in Chicago, which is the brand marketing group of Lighthouse Global Network. Apparently, Microsoft had contracted the firm to handle the sweepstakes operations. Communicator|e lists a host of well-known clients, including Amoco, Oscar Meyer, Keebler, Kraft, Sony, Poloroid, Motorola, Nabisco, Campbell's, and Jim Beam.

A DNS lookup of the host www.meetmesweeps.com showed the IP address as 209.61.155.44, which reverses to web3.madonna.net—a Web-hosting server located at Rackspace, a managed hosting company based in San Antonio, Texas. No information was available as to why the lapse in security occurred. At the time of this report, Microsoft was still investigating the matter. We were unable to reach anyone at Communicator|e for comment.